Other koa middlewares (For Eg. koa-passport) , which work with sessions, expect session to be exposed at ctx.session as a plain key-val object. but the JWTSession exposed by this plugin exposes session ONLY as a plugin service, making it impossible to integrate transparently with other koa-middlewares that work with sessions.

Type of issue

Feature Request

Description

When using this plugin as Session Provider in fusion app, any koa-middleware should be able to transparently use it just as if its koa's session (For Eg. koa-session)

Basic requirements for that would be to

1. Expose session object in context at ctx.session
2. session should allow access like plain object and should not mandate usage of get and set methods for working with values in session.

Current behavior

Session can only be accessed by creating a fusion plugin and declaring dependency on JWTSession.

Miidlewares written for koa with no consideration of fusion can not access session as these libraries expect session to be exposes as property on context object.

Expected behavior

koa-middlewares should be able to access session via context, For Eg. ctx.session

Steps to reproduce

NA

Your environment

NA

Repro steps:

Run the following code

// src/main.js
import React from 'react';
import App from 'fusion-react';
import Session, {
  SessionSecretToken,
  SessionCookieNameToken,
} from 'fusion-plugin-jwt';

export default async function start() {
  return new App(<div>hello</div>);
}

Open browser console

Expected

• no error

Actual

This error is thrown: Uncaught ReferenceError: process is not defined

It would be nice if a cookie was only set when needed, rather than always being set

Type of issue

Probably user error

Description

I am using session.set in an RPC handler but the cookie is not being updated.

Current behavior

The data is not saved.

Expected behavior

The data should be present in the next request/response cycle.

Steps to reproduce

I have this plugin:

import {SessionToken} from 'fusion-tokens';
import {createPlugin} from 'fusion-core';

export default createPlugin({
  deps: {Session: SessionToken},
  middleware({Session}) {
    return (ctx, next) => {
      const session = Session.from(ctx);
      ctx.session = session;
      return next();
    }
  }
});

and this RPC handler:

let nextId = 0;

export default {
  create: async ({title}, ctx) => {
    try {
      const {session} = ctx;
      let todos = JSON.parse(session.get('todos') || '[]');
      console.log("LOADED")
      console.log(session)

      todos = [...todos, {id: nextId++, title, completed: false}];
      session.set('todos', JSON.stringify(todos));
      console.log("ADDED")
      console.log(session);

      return {todos};
    } catch (e) {
      console.log(e.message);
    }
  },
}

Attempting to create a todo results in this console output:

LOADED
JWTSession {
  config:
   { secret: 'some-secret',
     cookieName: 'some-cookie-name',
     expires: 86400 },
  cookie:
   'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MzM0NTEzODAsImV4cCI6MTUzMzUzNzc4MH0.wl1hg-x2QxLhiOnrKOTCl-xSQ_-UECxxV8T3Gq7Cyvo',
  token: { iat: 1533451380 } }
ADDED
JWTSession {
  config:
   { secret: 'some-secret',
     cookieName: 'some-cookie-name',
     expires: 86400 },
  cookie:
   'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MzM0NTEzODAsImV4cCI6MTUzMzUzNzc4MH0.wl1hg-x2QxLhiOnrKOTCl-xSQ_-UECxxV8T3Gq7Cyvo',
  token:
   { iat: 1533451380,
     data:
      { todos: '[{"id":3,"title":"Go to the store","completed":false}]' } } }

The next create also starts with no data. Notice the id: 3, although I have not deleted 1 or 2 (they were not persisted). The iat also never changes, but I am not sure if it is supposed to.

Your environment

• fusion-plugin-jwt version: 1.0.5

• Node.js version (node --version): 10.6.0

• npm version (npm --version): 6.1.0

• Operating System: Mac Os

It seems we still have a problem with handling expired cookies.

  Error: Bad "options.expiresIn" option the payload already has an "exp" property.
      at Object.module.exports [as sign] (/Users/ganemone/dev/graphene-example/node_modules/jsonwebtoken/sign.js:125:20)
      at bound  (internal/util.js:227:26)
      at Plugin$2.middleware (/Users/ganemone/dev/graphene-example/node_modules/fusion-plugin-jwt/src/jwt-server.js:55:30)
      at <anonymous>
      at process._tickDomainCallback (internal/process/next_tick.js:228:7)

We need to export the SessionSecretToken, SessionCookieNameToken, and SessionCookieExpiresToken to be able to configure the plugin correctly.

Currently if the signature is invalid on a GET request, we send an error response. This causes issues in development when developing multiple projects on localhost:3000. I think we should make two changes to mitigate this.

1 - The cookie name should probably be scoped to the service. The only downside here is if you wanted to share a session across multiple services. However, this could be solved by syncing up the config between the services.

2 - A request with an invalid cookie should not error. Instead, we should reset the session.

Does this sound reasonable?

Problem/Rationale

Documentation regarding Fusion API is out of date given recent changes to leverage new Dependency Injection architecture.

Solution/Change/Deliverable

Update documentation

Since DI already complains if there are extraneous non-plugins, there's no point in also exporting a function that throws